We’ve already briefly looked at Fujitsu Enterprise Postgres (here and here) when it comes to TDE (Transparent Data Encryption) in PostgreSQL. In this and the next post we’ll look at EDB’s distribution of PostgreSQL and how TDE can be configured and used in his commercial flavor of PostgreSQL.
For getting EDB Postgres Extended Server installed you need to create an account on the EDB website. Once your account is ready you can request access to the EDB repository here. For me (on RHEL 9) this generated a token and the repository setup was just a matter of downloading and executing the repository setup script:
[postgres@rhel9-postgres-tde sources]$ sudo curl -1sSLf 'https://downloads.enterprisedb.com/[TOKEN]/enterprise/setup.rpm.sh' | sudo -E bash
Executing the setup script for the 'enterprisedb/enterprise' repository ...
OK: Checking for required executable 'curl' ...
OK: Checking for required executable 'rpm' ...
OK: Detecting your OS distribution and release using system methods ...
^^^^: ... Detected/provided for your OS/distribution, version and architecture:
>>>>:
>>>>: ... distro=rhel version=9.7 codename=Plow arch=x86_64
>>>>:
OK: Importing 'enterprisedb/enterprise' repository GPG keys into rpm ...
OK: Checking for available package manager (DNF/Microdnf/YUM/Zypper) ...
^^^^: ... Detected package manager as 'dnf'
OK: Checking for dnf dependency 'dnf-plugins-core' ...
OK: Checking if upstream install config is OK ...
OK: Fetching 'enterprisedb/enterprise' repository configuration ...
OK: Installing 'enterprisedb/enterprise' repository via dnf ...
Importing GPG key 0x9F1EF813:
Userid : "Cloudsmith Package (enterprisedb/enterprise) <[email protected]>"
Fingerprint: 31A4 CF09 0B3A E265 F131 58DE E71E B082 9F1E F813
From : https://downloads.enterprisedb.com/xxx/enterprise/gpg.E71EB0829F1EF813.key
Importing GPG key 0x9F1EF813:
Userid : "Cloudsmith Package (enterprisedb/enterprise) <[email protected]>"
Fingerprint: 31A4 CF09 0B3A E265 F131 58DE E71E B082 9F1E F813
From : https://downloads.enterprisedb.com/xxx/enterprise/gpg.E71EB0829F1EF813.key
Importing GPG key 0x9F1EF813:
Userid : "Cloudsmith Package (enterprisedb/enterprise) <[email protected]>"
Fingerprint: 31A4 CF09 0B3A E265 F131 58DE E71E B082 9F1E F813
From : https://downloads.enterprisedb.com/xxx/enterprise/gpg.E71EB0829F1EF813.key
OK: Updating the dnf cache to fetch the new repository metadata ...
OK: The repository has been installed successfully - You're ready to rock!
What this did, is to create a new repository definition for dnf/yum:
[postgres@rhel9-postgres-tde sources]$ cat /etc/yum.repos.d/enterprisedb-enterprise.repo
# Source: EnterpriseDB
# Site: https://cloudsmith.io
# Repository: EnterpriseDB / enterprise
# Description: A certifiably-awesome private package repository curated by EnterpriseDB, hosted by Cloudsmith.
[enterprisedb-enterprise]
name=enterprisedb-enterprise
baseurl=https://downloads.enterprisedb.com/xxx/enterprise/rpm/el/9/$basearch
repo_gpgcheck=1
enabled=1
skip_if_unavailable=1
gpgkey=https://downloads.enterprisedb.com/xxx/enterprise/gpg.E71EB0829F1EF813.key
gpgcheck=1
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
pkg_gpgcheck=1
autorefresh=1
type=rpm-md
[enterprisedb-enterprise-noarch]
name=enterprisedb-enterprise-noarch
baseurl=https://downloads.enterprisedb.com/xxx/enterprise/rpm/el/9/noarch
repo_gpgcheck=1
enabled=1
skip_if_unavailable=1
gpgkey=https://downloads.enterprisedb.com/xxx/enterprise/gpg.E71EB0829F1EF813.key
gpgcheck=1
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
pkg_gpgcheck=1
autorefresh=1
type=rpm-md
[enterprisedb-enterprise-source]
name=enterprisedb-enterprise-source
baseurl=https://downloads.enterprisedb.com/xxx/enterprise/rpm/el/9/SRPMS
repo_gpgcheck=1
enabled=1
skip_if_unavailable=1
gpgkey=https://downloads.enterprisedb.com/xxx/enterprise/gpg.E71EB0829F1EF813.key
gpgcheck=1
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
pkg_gpgcheck=1
autorefresh=1
type=rpm-md
Installing is just a matter of telling dnf what you want to install:
[postgres@rhel9-postgres-tde ~]$ sudo dnf -y install edb-postgresextended18-server edb-postgresextended18-contrib
Similar to the community packages for Red Hat based distributions, the binaries are installed in “/usr/edb/pge18”:
[postgres@rhel9-postgres-tde ~]$ ls -la /usr/edb/pge18/
total 16
drwxr-xr-x. 6 root root 52 Feb 6 22:05 .
drwxr-xr-x. 3 root root 19 Feb 6 22:05 ..
drwxr-xr-x. 2 root root 4096 Feb 6 22:05 bin
drwxr-xr-x. 3 root root 23 Feb 6 22:05 doc
drwxr-xr-x. 3 root root 4096 Feb 6 22:05 lib
drwxr-xr-x. 8 root root 4096 Feb 6 22:05 share
Initializing a new cluster, according to the documentation, is done with “edb-pge-18-setup” and options to initdb can be given by populating the environment variable “PGSETUP_INITDB_OPTIONS”. As I want my datafiles to be in /u02/pgdata I’ll pass that in addition to the encoding which is given in the documentation:
[postgres@rhel9-postgres-tde ~]$ sudo PGSETUP_INITDB_OPTIONS="-E UTF-8 -D /u02/pgdata/pge18" /usr/edb/pge18/bin/edb-pge-18-setup initdb
Initializing database ... failed, see /var/lib/edb-pge/18/initdb.log
… and this fails. Looking at the log file is not obvious what exactly has failed and actually the output looks quite okay:
[postgres@rhel9-postgres-tde ~]$ cat /var/lib/edb-pge/18/initdb.log
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.
The database cluster will be initialized with locale "en_US.UTF-8".
The default text search configuration will be set to "english".
Data page checksums are enabled.
Transparent data encryption is disabled.
creating directory /u02/pgdata/pge18 ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default "max_connections" ... 100
selecting default "shared_buffers" ... 128MB
selecting default time zone ... Europe/Berlin
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok
Success. You can now start the database server using:
/usr/edb/pge18/bin/pg_ctl -D /u02/pgdata/pge18 -l logfile start
Looking a bit closer there is this message: “Transparent data encryption is disabled.” which already is a difference to the Fujitsu version of PostgreSQL. And indeed, if you want to use TDE in the EDB version of PostgreSQL, this needs to be enabled when you initialize a new cluster with initdb. There is an option to migrate a non-encrypted cluster into an encrypted cluster, but this means using pg_upgrade for going from left to right.
As setting up TDE is the topics for the next post, we’ll stop here as this is all what needs to be done for the installation.
Some final thoughts:
- As with Fujitsu you need to create an account on EDB’s website.
- To get access to the repository you need to request that using the account you’ve created before.
- Installation is done from the EDB repository, with Fujitsu you download the rpms directly from the website.
- TDE needs to be enabled when you initialize a new cluster. With Fujitsu’s version of PostgreSQL this can be done afterwards on a tablespace level.
- Initializing a new cluster into a non standard PGDATA gives an error, but for now it is not clear what that error really means.
- Enabling TDE after initializing a new cluster means using pg_upgrade, so this comes with a downtime.
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/DWE_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2025/11/LTO_WEB.jpg)